```Newsgroups: sci.crypt
Path: cactus.org!ritter
From: ritter@cactus.org (Terry Ritter)

Subject: Re: Block Mixing Transformations
Message-ID: <1994Mar15.065615.3895@cactus.org>
Keywords: DES replacement, Large blocks
Organization: Capital Area Central Texas UNIX Society, Austin, Tx
References: <1994Mar13.051515.27175@cactus.org> <1994Mar14.223702.
+           6452@mnemosyne.cs.du.edu>
Date: Tue, 15 Mar 1994 06:56:15 GMT

In: <1994Mar14.223702.6452@mnemosyne.cs.du.edu> colin@nyx10.cs.du.edu
(Colin Plumb) comments on block mixing transforms:

>The algorithm is self-inverse.
>[...]
>This means that
>if it is used in a structure like an FFT butterfly to encrypt large
>blocks [...]

perhaps this quote from the original article will ring a bell:

>> Simple constructs like
>>
>>           A      B
>>           |      |
>>           v      v
>>           MixTrans
>>           |      |
>>           v      v
>>           C      D
>>
>> are not likely to be very useful as ciphers by themselves, even if
>> the mixing transformation is keyed and the blocks are large.

My intent in defining such constructs was to try and separate the
concepts of "strength" from the "mixing" property.  This means
that we do not have to define what "strength" means in such a
construct, but can instead rely on more classical forms, such as
DES or substitution.

>From A+B, it is easy to obtain most of T, save only the term of p which
>may be added in the modular reduction.
>
>Because this depends on the high
>bit of A+B, it is also easy to see when this has been added.

Well, the original polynomial reduction (when p is added) is
conditional upon the shifted-out-and-lost upper bit of T.
It is not there (not in the output) to see.

Certainly we can expect to form the inverse T (say, T') given
what p was when it was added.  Hopefully, we will not have that
access.  I believe I made that requirement clear:

>> It is crucial to remember that these simple, high-speed, but linear
>> mixing transforms can be said to have "strength" only if the input
>> and output values are never both available.  That is, these
>> structures do not by themselves handle "known-plaintext" attack.
>> (Of course, the same could be said for many other simple internal
>> mechanisms used in block cipher construction.)

>Given a very few pairs (X,Y) of ciphertext only, half of them will
>have the high bit of X^Y clear, so the plaintext can be recovered using
>T = (X^Y)<<1; A = Y^T; B = X^T;

For those cases where msb(X^Y) = 0.

>If there are any exploitable patterns
>in A and B, these can be used to find p in the cases where X^Y has
>its high bit set and T = (X^Y)<<1; A = Y^T^p; B = X^T^p;, for some
>unknown p.  Finding p should not be difficult.

In many (most?) cases A and B should already be randomized by the
time they get to the mixer being attacked.  Without "exploitable
patterns," finding p will get a whole lot trickier.

It certainly is true that the structure is weak.  Since it is weak,
it must be protected.  But when the structure is protected, finding
p becomes difficult.

Anyway, I claim the real issue is: "Does it mix well?"  The answer
may be: "Not all that well, but we can afford to do a lot of it."

>As an aside, if you want a better block-mixing function, try starting
>with the MA-structure used in IDEA:
>
>
>      A    B
>      |    |
>      v    v
> K1-->*--->+
>      |    |
>      |    |
>      v    v
>      +<---*<--K2
>      |    |
>      v    v
>      X    Y

I say you get what you pay for.  This proposal implies two full
polynomial multiplications per mixing, at a cost of O(n^2) each.
And while it may be said to be "stronger" (and also a better
mixer), the question of how many such structures are required
(that is, how many "rounds" are needed) is one of the open
questions in cryptography, so this added "strength" is difficult
to use.  And, because the cost of these mixers is O(n^2), the
structure cannot be expanded dramatically without considering the
impact on speed or circuit complexity.

In contrast, I proposed a scheme with no general multiplications
at all, just a single shift and three adds; cost O(n) each.  Such
a scheme is not a cipher, nor was it intended to be.  It was
intended to be a mixer (and, in fact, not that good a mixer).
But with it, we might avoid depending on the strength of
designs which are not well understood.  And the structure can be
expanded arbitrarily in the sense that one large mixer has the
same cost as many little ones which handle the same data.

One of the examples in the original article showed 61 mixing
operations for a single 256-bit block operation.  Given that
the mixing structure is so weak, perhaps a better approach
would be:

S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S
mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix
--mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix--
------mix------ ------mix------ ------mix------ ------mix------
--------------mix-------------- --------------mix--------------
------------------------------mix------------------------------
--------------mix-------------- --------------mix--------------
------mix------ ------mix------ ------mix------ ------mix------
--mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix--
mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix
S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S
mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix
--mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix--
------mix------ ------mix------ ------mix------ ------mix------
--------------mix-------------- --------------mix--------------
------------------------------mix------------------------------
--------------mix-------------- --------------mix--------------
------mix------ ------mix------ ------mix------ ------mix------
--mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix-- --mix--
mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix mix
S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S

This is 122 total mixing operations, but they are O(n) so the
cost is something like 4 * 18 * 128 = 9216 (and probably less).

levels * mixings-per-level * cost-per-mixer * size

2 *  1 * 4 * 128 +
4 *  2 * 4 *  64 +
4 *  4 * 4 *  32 +
4 *  8 * 4 *  16 +
4 * 16 * 4 *   8 =  9216

If we use the IDEA-derived mixer we have:

levels * mixings-per-level * cost-per-mixer * size^2

2 *  1 * 2 * 128^2 +
4 *  2 * 2 *  64^2 +
4 *  4 * 2 *  32^2 +
4 *  8 * 2 *  16^2 +
4 * 16 * 2 *   8^2 =  188,416

or over 20 times the computation of the simple approach.

Of course, the ideal would be

S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S
------------------------------mix------------------------------
S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S
------------------------------mix------------------------------
S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S

If we use the simple mixer we have 4 * 128 = 512; with the IDEA-type
mixer, we have a cost of 2 * 2 * (128)^2 or 65,536; approximately
128 times the cost of the simple approach.

Is the version with the IDEA-type mixer stronger?  Probably.  But
is it likely to be stronger than, say, 100 sequential versions using
the simple mixer, which would require about the same processing?

Sometimes added strength is not worth the cost.

---
Terry Ritter   ritter@cactus.org (cactus.org dies March 18)
ritter@rts.com
ritter@io.com (perhaps temporarily)

```